We might have heard stories about programmers who forgot to remove their hardcoded secret key before committing to a public repository, and some others have accidentally committed their .crt file (in which they really shouldn't).
sniffgit
solves that problem:
- It helps you to check whether or not you forgot to remove any sensitive information (e.g. email, API key, etc) from your files.
- It checks if you have hidden, via .gitignore, all sensitive files (e.g. id_dsa, something.crt, etc) in your repository.
Simply run sniffgit
on your repository after installing it!
pip install sniffgit # Python 2
pip3 install sniffgit # Python 3
Recommended: go to the root of your root project and run the following command in terminal:
sniffgit
To skip line analysis, use the --no-lines
. As of version 1.0.3 --no-lines
is recommended for larger project due to the high number of false positive results. You can always help us by improving the way
sniffgit determine sensitive lines / information :)!
sniffgit --no-lines
To specify a particular directory to start the "scan", use the --root
argument:
sniffgit --root path/to/another_dir
To print out the list of processed directories at the end, use the --paths
flag:
sniffgit --paths
sniffgit
starts at a directory, called root, and see if there are any sensitive
files that have not been gitignored. sniffgit
then proceed to check all of the
child directories (and other directories below it) of the root.
sniffgit
also checks files with texts (.py, .go, .txt, etc) and see if there are
any potential sensitive lines (e.g. API_KEY, email, AWS_ACCESS_KEY_ID, etc) in it.
sniffgit
will report any potential sensitive lines that are exposed (i.e. located
in a non-gitignored file) in the result.
Some files, such as id_rsa
, *.crt
, *jks
, are known to be something that
needs to be kept secret. Hence they're considered as "sensitive files".
Line of codes that contain keyword such as email
or API_KEY
are likely to
contain private data. Hence they're considered as "sensitive lines".
There's a lot more files and keywords that can be included in the list, so it would be awesome if you could expand this project :)!
"safe sensitive files" are sensitive files that have been gitignored, hence it won't (most likely) appear in the repository for wandering eyes to see.
Meanwhile, "safe sensitive lines" are sensitive lines that are contained in a file that have been gititgnored, hence they are not publicly available on the repository.
- A more accurate sensitive line analysis to reduce false positive results.
- An option to deep to previous commits instead of only scanning the HEAD repo.
DISCLAIMER: The result of this program might not be completely accurate due to false positive, false negative result, etc. You can improve the program by contributing to this open-source project.